Skip to content

Implement SEP-837: Clarify client type requirements (OIDC DCR) #880

Open
#883
Open
Implement SEP-837: Clarify client type requirements (OIDC DCR)#880
#883
Labels
P2Medium: important but non-blocking improvementT-enhancementNew features and enhancementsT-securitySecurity-related changesT-transportTransport layer changes
@alexhancock

Description

@alexhancock
alexhancock
opened on Jun 2, 2026

SEP-837: Update authorization spec to clarify client type requirements — rust-sdk implementation

Spec PR: modelcontextprotocol/modelcontextprotocol#837
Track: Specification · Stage: accepted · Priority: P0 · Theme: Enterprise Readiness
Needs code changes: Yes (Small)

Summary

  • References OpenID Connect Dynamic Client Registration 1.0.
  • Adds guidance for the OIDC application_type parameter during Dynamic Client Registration (e.g. native vs web), clarifying client type requirements.

Why this needs code changes in rust-sdk

DCR is performed by AuthorizationManager::register_client(..) in
crates/rmcp/src/transport/auth.rs, which serializes a pub(crate) struct ClientRegistrationRequest.
That struct currently has: client_name, redirect_uris, grant_types,
token_endpoint_auth_method, response_types, and optional scope. It has no
application_type field, so the OIDC DCR guidance isn't satisfied today.

Proposed work

  • Add #[serde(skip_serializing_if = "Option::is_none")] pub application_type: Option<String> to ClientRegistrationRequest (skip-if-none keeps it backward compatible with non-OIDC ASes).
  • Default to "native" for the typical CLI/desktop redirect (loopback/localhost) but make it configurable via OAuthClientConfig (add a with_application_type(..) builder) so web clients can opt in.
  • Set the field when building the request inside register_client(..).
  • Review client-metadata.json for a matching application_type value so CIMD and DCR agree.
  • Add a test asserting the serialized DCR body includes the expected application_type (and omits it when None).

Affected areas

crates/rmcp/src/transport/auth.rs (ClientRegistrationRequest, OAuthClientConfig, register_client), client-metadata.json.

Notes / risks

  • Small, additive. Bundle with the Enterprise Readiness auth cluster (2350, 2351, 2352, 2468).

Related existing issues

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2Medium: important but non-blocking improvementT-enhancementNew features and enhancementsT-securitySecurity-related changesT-transportTransport layer changes

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions